Volatility Labs

Friday, November 16, 2018

Let’s begin by thanking all of the participants in this year’s contests! This year we hosted the 6th Annual Volatility Plugin Contest, and we introduced the Inaugural Analysis Contest. We were encouraged to see submissions from our community members around the globe. As in previous years of the Plugin Contest, there were a lot of exciting submissions spanning tools created by practitioners in the field to published academic research. Participation in these contests demonstrates the importance of memory analysis and provides a platform for the innovative research being done in the field.

Volatility continues to thrive because of its active community of contributors. These contributors sacrifice their time and resources to make the world’s most advanced memory forensics platform free and open source. You can show your appreciation for the participants hard work and contributions to the community by following them on Twitter/GitHub/LinkedIn, providing feedback on their ideas, and helping to improve their code with testing, documentation, or contributing patches.

We would also like to thank our sponsors: Magnet Forensics and Volexity. When looking for a new job or searching for forensics tool vendors, we definitely recommend considering companies that demonstrate continued support for open source forensics!Placements and Prizes for the 2018 Volatility Plugin Contest:
1st place and $1500 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

Aliz Hammond for Gargoyle

2nd place and $750 USD cash goes to:

Aleksander Østerud for MemoryDecompression

3rd place and $250 USD cash goes to:

Lorenz Liebler et al. for the Volatility Plugin for Approxis

4th place and Volatility swag goes to:

David Quesada for CSV and Splunk Dashboard

5th place and Volatility swag goes to:

Peter Casey for Vivedump

Placements and Prizes for the 2018 Volatility Analysis Contest:
1st place and $1500 USD cash or One Free Seat at Malware and Memory Forensics Training by the Volatility Team goes to:

Team Decepticon (South Korea) for 2018 VAC Report

2nd place and $750 USD cash goes to:

Team MalGround (South Korea) for 2018 PyeongChang Olympic Destroyer

Here is a detailed summary of the submissions. If you have feedback for the participants, we're sure they'd love to hear your thoughts!

Plugin Contest

1st: Gargoyle by Aliz Hammond

In the author's words, "Gargoyle works by placing malicious code inside a non-executable area of memory. It then creates a system timer, configuring it to execute a ROP chain on expiry. The ROP chain calls VirtualProtectEx, marking the malicious code as executable, calls the malicious code, and then calls VirtualProtectEx a second time – this time, marking the malicious code as non-executable. The timer is then reinitialised and the cycle starts anew." Gargoyle has the potential to evade live memory scanners (such as AVs, EDRs, etc.) if the security tools only look for payloads in executable memory.

This Volatility plugin builds on the existing timers plugin (to which the author also submitted a patch) and inspects timer APCs (instead of just the DPCs). The plugin uses Unicorn to emulate the APC's instructions and detect (and then follow) the ROP chain to the VirtualProtectEx call. The plugin inspects parameters passed to VirtualProtectEx on the stack and can then pivot to the newly executable payload.

2nd: MemoryDecompression by Aleksander Østerud

The MemoryDecompression tool submission provides a mechanism for decompressing memory regions that were compressed during memory management. Instead of paging memory directly to disk, the Windows 10 memory manager provides a mechanism to compress private and pagefile backed pages to reduce memory pressure. This improves performance, since writing to disk is more expensive, and reduces the number of disk operations which improves their longevity. The tool leverages a brute-force approach to decompress memory pages and can be used on both memory samples and page files. By preprocessing the data with Volatility's vaddump and memdump, it is also possible to extract the compressed memory and reduce the processing time. The MemoryDecompression tool requires a system running either Windows 8 or Windows 10.

3rd: Volatility Plugin for Approxis by Lorenz Liebler et al.

Lorenz Liebler, Patrick Schmitt, and Harald Baier implemented Approxis, a tool for quickly processing a large number of on-disk binaries and subsequently matching/identifying parts of those binaries, or related code, in physical memory images. The technique combines approximate matching (a.k.a. fuzzy hashing or similarity hashing) with an additional layer of approximate disassembling. The tool is able to distinguish code from data even in light of significant variation between the original binary and the target memory image. Approxis has two components: (1) a C/C++ tool for creating and querying a binary database, and (2) a Volatility plugin for presenting context-specific information about matches.

4th: CSV and Splunk Dashboard by David Quesada

The Splunk dashboard presents over 30 prepared searches across the output of various Volatility plugins. After running the desired plugins and ingesting the CSV output into Splunk, a Volatility user can load this dashboard and start looking for anomalous activity within the memory sample. Over time, a dashboard like this could be built up with more queries for finding and alerting on malicious activity in memory samples. David was inspired to create this tool after attending Malware and Memory Forensics Training taught by Andrew Case.

5th: Vivedump by Peter Casey

Vivedump is a plugin to extract and recreate visual scene information from virtual reality (VR) device memory captures. The plugin's ability to create 3D still images of VR scenes gives the investigator a precise look at a user's actions inside of the virtual world. This novel research opens many possibilities into the under-explored topic of VR memory forensics. The tool is only a small piece of larger scale research that analysts at University of New Haven have been doing to help users better understand the risks of using VR, and to help investigators learn the associated artifacts.

Analysis Contest

1st: 2018 VAC Report by Team Decepticon (South Korea)

The authors of this report put together a realistic lab scenario modeled after Korean APT investigations they have performed. We were not only impressed by the number of Volatility plugins represented in the analysis efforts, but also that the infected systems spanned multiple operating systems (Windows and Linux). Memory analysis was leveraged to shed light on the toolkits and methodologies used by the attackers, including Eternal Blue, Dark Comet, Spear Phishing, HWP exploits, DLL injections, MongoDB vulnerabilities, and more. Evidence from Outlook PSTs were reconstructed from RAM and shellcode was explored and identified in memory using Yarascan, Volshell, and various other capabilities provided by Volatility.

This analysis report, written by the MalGround team from South Korea, describes a scenario based on the Olympic Destroyer events surrounding the 2018 PyeongChang Winter Olympic Games. Before the Olympics officially began, the attackers attempted to disrupt the opening ceremonies by intercepting the event's critical computer systems and infrastructure offline. The cyber attack was initiated with a targeted spear phish and then leveraged a "network worm" to propagate using network shares and stolen passwords. The simulated scenario involved three systems: an Active Directory server running Windows Server 2008 R2 Standard 64-bit, a victim PC running Windows 7 Ultimate K x86, and an attacker PC running Kali Linux 64-bit. In the simulated scenario, a file-less malware attack, leveraging Empire (Mimikatz, BypassUAC), is combined with the actual Olympic Destroyer malware. The authors leveraged memory analysis to find supporting temporal artifacts, identify suspicious characteristics of processes, and extract memory resident strings and executables. This submission includes the analysts’ report and a memory sample from the Windows 7 machine where the Olympic Destroyer malware was executed.

Volatility Plugin Contest

Heading into its sixth year, the Volatility Plugin Contest encourages research and development in the field of memory analysis. The contest provides an opportunity for people to get industry-wide visibility for their work, to put groundbreaking capabilities immediately into the hands of investigators, and to contribute back to the open source forensics community. Not to mention, the opportunity to win cash
and prizes. We are thankful to Magnet Forensics for donating $2500 in support of this year’s Volatility Plugin Contest.
If you are looking for inspiration for the Volatility Plugin Contest, please check out the previous results.

Volatility Analysis Contest

As a result of Magnet Forensic’s contribution, we decided to use the original prize money to launch the first Volatility Analysis Contest. The Volatility Analysis Contest is intended to encourage people to share the creative ways they are using Volatility to augment their analysis efforts. For example, it may include techniques for augmenting their malware analysis, expediting reverse engineering, finding critical artifacts during an investigation, or triaging new indicators. The goal is to write an analysis report detailing how Volatility was used to find relevant artifacts within memory.
If you are looking for ideas for the Volatility Analysis Contest, find a sophisticated malware sample or attack framework and document
how Volatility can be used to find its artifacts in memory. Previous examples from the Volatility team include: Stuxnet,
Phalanx,
and Careto.

Thanks again to Magnet Forensics for their generous donation and support! We would also like to thank Volexity and our other sustaining donors for their continued support.

Wednesday, February 28, 2018

After another highly successfully year of our Malware and Memory Forensics training, which included sold-out public trainings in Herndon, VA and London as well as several private trainings, we are excited to announce our lineup of public trainings for 2018.

Our first offering will be back in Herndon in April from the 16th to the 20th. This class is already over 80% full, so please contact us ASAP if you wish to attend this offering.

We will also be back in Herndon for the week of October 15th to the 19th. Our Fall classes in the Herndon/Reston area have consistently been the fastest to sell out, so please lock in your seat as early as possible.

Finally, we will be returning to Europe with an offering in Amsterdam in September from the 4th to the 7th. Please note that this class will run Tuesday-Friday instead of the normal Monday-Friday. To make up for the missing time, the Tuesday-Friday sessions will each run until 6PM.

Our course is constantly evolving in order to cover the latest operating system updates, malware techniques, and attacker tactics. The following highlights some of the new material for our 2018 offerings:

In closing this update, we would again like to thank the DFIR community for its continued support of the Volatility project and our associated training course. If you will be at BSidesNOLA, Black Hat Vegas, or OSDFCon later this year then please come introduce yourself in person!

Tuesday, November 21, 2017

Congratulations to all the participants! This year's contest resulted in a ton of new and exciting functionality
available to law enforcement agents, DF/IR practitioners, malware
analysts, and researchers around the globe, which can immediately be
transitioned into their workflows. That's the whole spirit of open
source memory forensics with Volatility, and we're once again very proud
to sponsor a contest with such impressive results.

After over 10 years of development with the Volatility Framework and 4
years of previous plugin contests, you might think that there's nothing
left to do, but the community continuously proves otherwise. This year,
in particular, we were super impressed not only with the creativity and
quality of the submissions, but the fact that several works were
influenced by or in support of submissions from previous contests.

Everyone is a winner in this contest. Although a
few developers will walk away with prizes, they all solved a problem
that they (and inevitably others) faced, gained experience writing
Python plugins, and learned some intricacies of memory analysis
internals. The capability to program around technical issues and
design/implement solutions is a gift. You can applaud by following the
authors on Twitter/GitHub/LinkedIn, providing feedback on their ideas,
and helping to improve their code with testing, documentation, or
contributing patches.

Here
is a detailed summary of the submissions. If you have feedback for the
authors, we're sure they'd love to hear your thoughts.

1st: Xabier Ugarte-Pedrero (Cisco Talos): PyREBox

PyREBox provides an extensible reverse engineering sandbox that combines debugging capabilities with introspection. The analyst can interact with the whole system emulator, QEMU, guest either manually, using IPython, or by creating Python scripts. Unlike previous reverse engineering platforms, PyREBox, is explicitly designed for modern threat analysts and the tasks they commonly perform. PyREBox also leverages Volatility to help bridge the semantic gap challenges typically associated with virtual machine introspection.

The KSL Group (Kyle Ness, Shachaf Atun, Liam Stein) submitted the threadmap plugin, which is the result of their extensive research comparing and contrasting weaknesses in existing tools for identifying code injection based on process hollowing. The authors found an obvious gap between the prevalence of attacks in the wild that leverage process hollowing and the strength of tools that can perform detection reliably. Based on the documentation provided alongside the Volatility plugin, the authors not only analyzed existing malware samples (i.e. a reactive approach) but also developed their own variations of process hollowing that are likely to be seen in the near future - and included coverage for those types of attacks as well.

Something magical happens when reverse engineers write Volatility plugins. Peter and Michal from ESET have been tracking banking trojans and MITB malware for a while now, documenting the methods that malicious authors take to subvert victim systems - in particular, how they find and hook the SSL VMT (virtual method table) even in browsers such as Chromium-based browsers that static link with the SSL libraries, change regularly, and don't export the table locations. Studying the pros/cons of attacker methodologies, learning from them in order to create a more robust detection platform, and immediately transitioning that knowledge into a capability analysts can use (via Volatility) requires a unique skill set. In addition to exploring these previously undetected API hooks, the authors also extended Volatility's apihooks plugin to work on WOW64 processes (32-bit processes on a 64-bit architecture) and integrated their work into VolUtility - a submission to last year's plugin contest.

Michael Brown wrote a seriously cool set of Volatility plugins to interrogate SQL artifacts in RAM. Influenced by Dave Lassalle's previous work for the 2014 Volatility Plugin Contest, Michael wrote a more generalized version of the SQL tools that can search for any table schema. In his own words, "You can enter your own schema, but Sqlitefind can also automatically find table definitions in the sqlite_master table, so the user doesn't need to know the schema beforehand! You can even discover tables that you didn't know were in memory." Given the number of applications that rely on sqlite3 under the hood, this opens doors to an unexplored world of application artifacts.

Adam's contribution to this year's contest is the first of its kind - a set of plugins to analyze forensic artifacts of the X Window System environment on Linux. The data structures recovered by the plugins are tied to the X server itself, thus they work independently of the Linux distribution or window manager. Captured information includes details about each window, such as X and Y co-ordinates, width and height dimensions, parent window objects, window IDs, color schemes, and atom associations. Natively, the plugins can be used to determine titles of browser windows (URLs visited), titles of LibreOffice applications (opened documents), and in the future - potentially even a screen shots plugin for Linux!

Frank's submission to this year's contest introduces a library to parse the user mode heap of a process using Glibc (currently supports x86/x64 and Glibc versions 2.20 - 2.25), an API for developers to create their own plugins, and two example plugins that demonstrate the forensic value - command shell history (zsh) and password management (keepassx). We are super impressed with the level of effort Frank put into this suite of tools. Not only did he implement a model of multiple Glibc versions, but he documented the library's internals, produced a 60+ page academic technical report and published a condensed 10-page DFRWS paper.

The
following submissions appear in the order they were received. As
previously mentioned, these developers deserve huge props. We look
forward to seeing future work by these authors!

Mark McKinnon: Volatility Autopsy Modules

Mark's work on integrating Volatility output into the Autopsy GUI will undoubtedly make life easier for many investigators. Whether they're not familiar with using command line tools, they're uncomfortable in a Linux environment, or if they just want to save time and visualize memory artifacts across various different cases in the same interface, this is a huge advantage for Autopsy users. The module includes a generic interface that allows running any Volatility plugin that supports SQLite rendering. It also contains more specialized modules that take the output of Volatility's dumpfiles (extract files from RAM) and imagecopy (convert hiber/crash to raw) plugins and make their results available in Autopsy as well, creating a near full circle of analysis between disk and memory, all captured in the same GUI.

As a malware analyst, Javier starts most of his work with Windbg or Volatility and then pivots to IDA Pro to gain a detailed understanding of the malicious code. In this line of work, having access to symbols for the malware being disassembled or debugged is practically a requirement if you want to be efficient. The symbolizemod plugin lets you extract variables and symbols from a particular memory region and exports them as a DBG file, which is a common format understood by IDA Pro and Windbg. The end goal is similar to Volatility's existing impscan plugin, except impscan only exports in text and IDC formats. In fact, symbolizemod also includes a command line switch to leverage impscan's engine for enumerating symbols. By default, however, symbolizemod uses its own engine (called "raw mode") which in some cases can produce different results.

Chrome Ragamuffin is part of a larger research project started by Alessandro over a year ago. Although the research is ongoing, Alessandro's Volatility plugin is already full of features and it's one of the most compelling examples of recovering application level artifacts that we've seen. Overcoming challenges such as incognito mode and the fact that Chrome updates automatically nearly every time you launch it, Alessandro managed to dissect critical in-memory data structures related to the browser's DOM and the user's navigation. Alessandro has presented his work at OSDFC and Bsides Zurich, showing how to analyze memory to detect CSRF, clickjacking, phishing, and malicious redirects.

Tuesday, June 6, 2017

As we head into summer, we wanted to let everyone know that for 2017 we only have two remaining public offerings of our highly popular and newly updated Malware and Memory Forensics training course. If you would like to join us, our international course will be in London during the week of September 18th - 22nd, and our US course will be back in Herndon during the week of October 16th - 20th.

Our cutting edge materials are one of the main reasons students value our course. We don't teach the same concepts year after year. Instead, we update our class regularly, to stay in sync with (and in some cases, ahead of) the rapidly changing attack surfaces, advances in defense technologies, malware hiding tricks, and operating system forensics artifacts. A few recent additions include:

Not only only will you be learning these memory forensics topics directly from the authors of the Volatility Framework and the Art of Memory Forensics, but you will also receive Volatility stickers, a branded USB drive, a copy of the Art of Memory Forensics (digital or print), and various opportunities to win SyncStops - all nicely documented by a former student:

One of the most popular class contests is our CTF that pits individuals (or teams of two) against the rest of the class, in a challenge that involves analyzing Windows and Linux memory samples in a scenario resembling events that unfolded during the 2016 U.S. Presidential Election.

Besides the core knowledge needed to perform effective memory forensics, we also teach the latest tools and techniques for reliable memory acquisition. Students will gain experience using Volexity Surge Collect Pro for robust, fast, and secure collection of Windows memory to local and remote/network-based destinations. Students can purchase Surge licenses at a discounted price during course registration (see Memory Forensics Training FAQ) or separately after the class.

In closing this update, we would again like to thank the DFIR community for its continued support of the Volatility project and our associated training course. In particular, all the newcomers who are just starting to explore memory analysis, as well as our alumni and numerous repeat students who just can't get enough!

On a side note, if you are going to be at DFRWS or Black Hat this summer then be sure to come introduce yourself!

Thursday, April 20, 2017

Its that time again, folks! The 2017 Volatility Plugin contest is now live and accepting submissions until October 1st, 2017. Winners of this year's contest will be receiving over $2,250 in cash prizes as well as plenty of Volatility swag (t-shirts, stickers, mugs, sync stops, etc).

The purpose of the contest is to encourage open memory forensics research and development. It is a great opportunity for students to become familiar with memory forensics, develop a master's thesis or PhD project, as well as gain experience that will be very desirable by future employers. For those already in the field, submitting to the contest is a great way to gain experience and visibility in the memory forensics community. After the contest is over we promote the work in our conference presentations, blogs, and social media.

If you are looking for inspiration or to see the past winners, please check out the pages from 2013, 2014, 2015, and 2016. You will find projects that allow for inspection of virtual machines guests from the view of the host, recovery of in-memory browser artifacts, methods to detect stealthy rootkits, and much more.

If you have any questions please feel free to reach out to us.

We are looking forward to another year of innovative open source research!

Friday, December 30, 2016

This release improves support for Windows 10 and adds support for Windows Server 2016, Mac OS Sierra 10.12, and Linux with KASLR kernels. A lot of bug fixes went into this release as well as performance enhancements (especially related to page table parsing and virtual address space scanning).